Fear Factor: Why Security Is Still The Cloud's Biggest Hurdle

There's little doubt that cloud services are poised for tremendous growth as companies look to cut costs and improve efficiency. But a nagging problem threatens to dampen all the high hopes for cloud computing. A report issued earlier this year by a group of top information security executives from big-name companies such as Coca-Cola, Johnson & Johnson, and Wal-mart put it bluntly: Security remains the No. 1 obstacle to cloud adoption.

Indeed, a lack of trust and a sense that an organization wouldn't have complete control over its data or systems is hindering widespread adoption of cloud computing, solution providers and industry experts say. Regulatory compliance, data integrity and lack of transparency are top concerns for companies contemplating a shift to the cloud. While enterprises are adopting certain cloud-based services, many are keeping a firm grip on the data they believe is the most critical to their operations.

''It's about trust," said Todd O'Bert, president and CEO of Minneapolis-based Productive Corp., a security, storage and infrastructure solution provider. "We're still finding by and large that it's about insourcing vs. outsourcing and right now the stuff they are willing to outsource isn't part of their core operations."

However, confidence in cloud services is growing as industry efforts to create standards mature and cloud providers work to build trust and, experts say. They predict the shift to the cloud will be long and gradual as the cloud security challenges are overcome. Along the way, solution providers have an opportunity to help their customers make the transition to the cloud securely.

Sponsored post


Companies have been gradually moving to the cloud over the past decade, beginning with Software-as-a-Service (SaaS), fueled in part by companies such as Salesforce.com, which has had success with its popular CRM software. But providers selling Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) are still working to establish trust with potential clients and attract more businesses.

Jerry Irvine, CIO of Schaumburg, Ill.-based Prescient Solutions, an IT outsourcing firm, said enterprises are concerned about the safety of putting their intellectual property, financial information and personal customer data in a cloud environment. "A number of large corporations that we do business with have no intention of putting certain classes of data in the cloud," he said.

HIPAA, the Payment Card Industry Data Security Standard and various international and local privacy requirements are of major cloud concerns for businesses, Irvine said. Some European countries require that data reside in the host country, a mandate that can be difficult in a multitenant cloud environment. Moreover, IT departments fear losing control if they move data to a cloud provider.

"They have no control over security or management yet they're responsible if their data gets breached," he said.

Irvine cites another reason why some enterprises are shying away from the cloud: the lack of the ability to audit the cloud provider. Large, highly regulated companies often must have the ability to conduct independent tests of a provider's security controls, he said, but cloud providers generally are unwilling to permit such tests.

For small businesses that don't view IT as a critical asset and want to minimize costs as much as possible, security isn't as much of a barrier to cloud adoption, said Paul Hill, senior consultant at SystemExperts, a security consulting services firm based in Sudbury, Mass. Meanwhile, large companies that place a high priority on security and have a lot of resources can put cloud services through formal risk assessments using existing security frameworks such as ISO 27001.

"In between, there are companies that value IT and know security is a concern but don't have an existing way to evaluate risk and are unfamiliar with various frameworks," Hill said. "They're the most reluctant to adopt cloud services. They don't know a way to get a handle on it."

NEXT: Efforts To Bridge The Gap


The Cloud Security Alliance (CSA), a nonprofit coalition of industry practitioners, corporations, associations and other key stakeholders, is working to assuage fears about cloud computing. The group has launched a number of best practice initiatives and developed frameworks that aim to increase visibility into cloud provider security controls and overall improve industry confidence in cloud security.

A survey of more than 250 cloud users, providers and consultants conducted by the CSA and the certifications body ISACA found that cloud-based services have room to improve on the security and governance front. Nearly all the survey respondents indicated that they thought cloud computing was far from reaching maturity. Only SaaS was the furthest along, with infrastructure and platform services still considered in the infancy stages. SaaS scored the highest adoption rate in the study, with 62.3 percent, followed by IaaS with 35.7 percent and PaaS with 22.6 percent.

The survey found that companies want to reduce the data center footprint in the organization and gain business benefits while reducing costs, but they are also seeking assurances that the services will be reliable, available and secure, said Jim Reavis, executive director of the CSA.

To that end, the CSA last year launched a security certification program for cloud service providers. The Open Certification Framework ensures a cloud provider implements security controls in line with the CSA's guidance by getting certified via ISO 27001. A cloud provider's certification, combined with a listing in the CSA's Security Trust and Assurance Registry (STAR) program, a public repository of providers' security controls, can give companies evaluating cloud providers much more assurance and documentation about the provider's security posture, Reavis said.

"There's always a question of the absolute baseline of what a provider should do vs. a la carte security services to meet a higher assurance need," Reavis said. "If you're providing highly available consumer-oriented service, you are going to want to make it economical, so we as an industry are going to have to get educated enough to ensure that even just the baseline will have a fair amount of security in it as well."

Reavis said market pressure has helped the STAR registry grow past 20 providers since it was launched early last year. To obtain a listing, cloud providers must answer a set of assessment questions based on the ISO 27001 standard and ultimately agree to have that data freely available in the registry. Most of the cloud firms signing on to the registry program say customers are asking them to open up, he said. It's that kind of movement -- customers asking for security and transparency -- that will force cloud providers to institute changes.

"You can feel the market pressure happening," Reavis said. "Organizations are getting regular queries from potential customers wondering why they're not there [in STAR], so I think we'll see more cloud providers and some niche ones as well [added to the registry]."

Cloud adoption has been slow but steadily growing, Reavis said. "I'm seeing a lot of enterprises that have six-figure bills with Infrastructure-as-a-Service cloud providers," he said. "When you trace it back, it's common that it starts as a pilot or small group within the organization needing additional flexibility and it grows from there."

Service providers are beginning to find ways to differentiate themselves with tailored services for their clients in the form of security, maintenance and reliability. Small projects eventually help executives and IT teams establish trust with the provider, according to Reavis.

NEXT: Cloud Providers Step Up


Some of the biggest names in cloud computing say they're doing everything they can to address companies' security concerns.

"At AWS, security is our No. 1 priority," Terry Wise, head of the worldwide partner ecosystem for Amazon Web Services, said in an email interview. "We will drop anything we're working on if we think there needs to be work done to fortify security further."

AWS uses traditional security strategies and techniques plus unique approaches it's developed over the years, he said. The company's security measures include strict physical access control to its data centers, network monitoring and application-level services such as AWS Identity and Access Management. In response to customer demand, AWS has invested in certifications such as ISO 27001, PCI and HIPAA compliance, Wise said. AWS filed documentation with the CSA's STAR last summer.

Verizon Terremark prides itself on going "above and beyond" what security-conscious customers ask for, and has certified its infrastructure against a number of standards, including ISO 27001 and PCI, Omar Khawaja, managing principal of global security, told CRN. The company also is a member of STAR.

One way for organizations to overcome data continuity and retention issues is to leverage the cost benefits of a multitenant architecture in which all organizations are sharing compute resources, but also set up a dedicated environment for systems that store sensitive data, said Troy Garrison, vice president of cloud experience at Verizon Terremark. Co-located facilities are typically provided by large cloud service providers, enabling organizations to take a more hybrid approach, isolating sensitive systems and setting up a more hardened environment, he said.

A hybrid approach can help address the risk of data seizure. If the FBI seizes servers from another company as part of an investigation under the U.S. Patriot Act, organizations that established hybrid environments for their more critical data would not be impacted, Garrison said. Verizon Terremark also provides data centers in other countries to help companies meet data retention laws in Germany, Denmark and France, for example. Customers can choose if they want multitenant firewalls and load balancers. Logs are collected and monitored by Verizon Terremark employees, he said.

"Every year the issues have become less and less of a problem," Garrison said. "We now have a large security practice and we alleviate most of the security outside of the comingling of data; we do not participate in a flat public network."

As for the ability of customers to audit, it depends, Khawaja said. "At the end of the day, we need to make a risk assessment. There are certainly parts of the infrastructure that are shared by multiple customers, so what we can't do is allow a customer to engage in an assessment activity that could cause undue risk and potentially harm another customer's environment and its availability," he said.

NEXT: Solution Provider Opportunities


AWS' Wise said channel partners play a big role helping enterprises transition to the cloud. Specifically, the company's big system integrator partners provide IT consulting services around architecture, governance and operations to enterprise customers wanting to use AWS for production workloads such as SAP and big data analysis.

"SI partners play an important role in providing the technical services required to migrate from an on-premises enterprise environment to AWS," Wise said.

For security consulting firms such as SystemExperts, growing interest in cloud services has generated requests for security reviews. One customer sent a team of SystemExperts consultants and internal staff to evaluate a cloud service provider, Hill said. "We looked at the architecture and a wide number of controls. We interviewed them on exactly how they implement some encryption technologies," he said.

One of the first steps an organization should take before moving data to a cloud environment is classifying the data, Hill said. "Once you have that, it's easier to talk about what the risks are," he said. It's going to take additional education and know-how to walk organizations through a thorough evaluation, said Sean Bruton, senior product manager at Hosting.com. The right questions need to be asked and businesses need to make sure their questions are clearly answered. They need to make sure a provider isn't treating security as a reactive part of its job, he said. Smaller providers may have less skilled staffers, such as system administrators, handling security as issues come up. Get customer referrals and understand the background of the people maintaining the systems, he said.

"You want to make sure there are people in charge capable of managing risk and are knowledgeable about the types of controls that need to be deployed and maintained and the threats that your organization faces," Bruton said. "Take the time to talk to the people in the organization."

Bruton, who oversees security and compliance for the company's managed hosting services, said incident response, vulnerability management and activity monitoring should be part of the discussion with the cloud provider before signing a contract.

Allen Falcon, CEO of Westborough, Mass.-based Cumulus Global, a cloud provider and premier Google Apps SMB partner, said his firm prefers working with cloud vendors that target markets with high security needs. "We pick products and services that start at the high end ... as opposed to looking for a vendor and waiting for it to become secure," he said.

In fact, the security provided by a cloud service such as Google Apps -- which has multiple security certifications -- is more than most small and midsize companies can provide on their own, Falcon said. "When we implement Google Apps, we enforce high levels of encryption so that everything is encrypted, not just at rest in the data center but in transit to the end device as well," he said.

If a customer believes it needs even more security, there are third-party products that can meet their requirements, he said. Cumulus Global works with a variety of third-party cloud security providers, such as Symplified, a supplier of identity management services.

NEXT: Making Headway


Overall, the industry is making steady progress in chipping away at cloud security challenges, including meeting the compliance needs of highly regulated industries, experts said.

"As cloud providers get more experience and exposure to certain businesses such as banks, they'll get more comfortable with the regulations, and if they can get these requirements in place, they can attract even more business from the financial sector," said Tony Meholic, senior vice president and chief security officer at The Bancorp Bank, a commercial bank based in Wilmington, Del.

The CSA, he added, "will help to promulgate a good vision and focus for migration to the cloud."

Experts said they expect the industry will move toward a mixture of public and private cloud services, giving companies the option of more control and visibility into their sensitive data.

"I have not heard anyone say, 'We're pulling back from cloud,' " the CSA's Reavis said. "Generally, it isn't a failure that moves an organization to a private cloud; it's the need for specific granular control or visibility that they weren't getting from a public cloud provider."

According to Productive Corp.'s O'Bert, cloud adoption will be a long, evolving process and the channel will adapt to buying trends for systems and services.

"It's all still endpoints and servers. Organizations are still going to need the technology and going to need to pay for it," O'Bert said. "People every day are getting more comfortable with the fact that their data doesn't reside on that endpoint device or even on the server down the hall. The longer people are comfortable with that, the more that it will change the way they buy, procure and use the technology that protects them."